none
Windows CipherSuite doesn't apply with AS2Send on BizTalk2016 RRS feed

  • Question

  • Now I’m using AS2Send to submit X12 message to my partner but they required a specific CipherSuite which I already enable config in Group Policy/Admin Template/Network/SSL Setting/CipherSuite. But I always monitor the Communication with Network tools and saw that the BizTalk http AS2Send adapter doesn’t use CipherSuite that I put into the system at all. I've checked with IE and it apply with what I expect, but not BizTalk. 

    How do I make my custom CipherSuite to effect with BizTalk AS2Send adapter?

    TLS_RSA_WITH_AES_256_GCM_SHA384
    Thanks,

    Abweg9
    Thursday, March 15, 2018 8:11 AM

Answers

  • Hi Abweg9,

    I just found the same problem like this last week, but manage to resolved it by config 2 parts:

    1. BizTalk is using .NetFramework 4.0 which support only TLS1.0 but your CipherSuite should be related to TLS1.1 or TLS1.2. So what you need to do is enforce .NetFramework 4.0 to support Strong Crypto aka. TLS 1.1 & 1.2.
    2. Enable TLS 1.1&1.2 in SChannel registry

    Use the following method:

    Enable .NET framework 4.0 to support TLS1.1 and 1.2 (by default, support only TLS1.0)

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

    Update Registry or use IISCrypto --> SChannel Tab to Enable TLS 1.1 & 1.2 on both Client & Server Side

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001

    Cheers.,

    Sungsit




    Thursday, March 15, 2018 10:31 AM
  • Hi,

    Some more info about Strong Crypto can be found here:

    https://www.johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications

    Br,

    Leo


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    • Marked as answer by Abweg 9 Wednesday, March 21, 2018 7:33 AM
    Thursday, March 15, 2018 10:48 AM

All replies

  • Hi Abweg9,

    I just found the same problem like this last week, but manage to resolved it by config 2 parts:

    1. BizTalk is using .NetFramework 4.0 which support only TLS1.0 but your CipherSuite should be related to TLS1.1 or TLS1.2. So what you need to do is enforce .NetFramework 4.0 to support Strong Crypto aka. TLS 1.1 & 1.2.
    2. Enable TLS 1.1&1.2 in SChannel registry

    Use the following method:

    Enable .NET framework 4.0 to support TLS1.1 and 1.2 (by default, support only TLS1.0)

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

    Update Registry or use IISCrypto --> SChannel Tab to Enable TLS 1.1 & 1.2 on both Client & Server Side

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001

    Cheers.,

    Sungsit




    Thursday, March 15, 2018 10:31 AM
  • Hi,

    Some more info about Strong Crypto can be found here:

    https://www.johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications

    Br,

    Leo


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    • Marked as answer by Abweg 9 Wednesday, March 21, 2018 7:33 AM
    Thursday, March 15, 2018 10:48 AM